Chris McDonough writes:
> You didn't protect the isMember document. It's viewable by Anonymous. The
> Zope security machinery short-circuits authentication for resources that
> don't require it. This means that when you view a resource that's
> unprotected, you view it "as Anonymous". Anonymous doesn't have the Member
> role, so you see "You are NOT a Member" when you view /isMember.
>
> I don't particularly like this behavior, but it seems not to bother anyone
> else. I think it should authorize you and set AUTHENTICATED_USER if you
> pass in auth info regardless of the protection on the resource you're trying
> to view.
It would bother me a lot, if you were right :-)
Fortunately, you are not completely right.
What really happens is the following:
when ZPublisher has located the object addressed by
the request URL, it starts going back its way
along PARENTS to find a UserFolder that can
authenticate a user with sufficient permissions
to call the object.
If the object is unprotected, then no permissions
are required. In this case, the top level
UserFolder will return "Anonymous",
if it is reached and it cannot authenticate the
user.
Therefore, an unprotected object can be
called by Anonymous and in this case,
"hasRole" is that of "Anonymous", as Chris
reported.
However, if previously a protected object
has been accessed, then your browser may (and usually
will) send Authentication information with
all following requests.
A UserFolder will use this information (if present)
to authenticate the user, even if no permissions
are necessary for object access.
If successful, AUTHENTICATED_USER will not
be "Anonymous" even though the accessed object
is unprotected.
Dieter
_______________________________________________
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announcehttp://lists.zope.org/mailman/listinfo/zope-dev )